diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2014-11-17 00:21:40 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2014-11-17 11:20:39 +1100 |
| commit | 9f9fad0191028edc43d100d0ded39419b6895fdf (patch) | |
| tree | 83a1dabec592abd8220ff622857d5e50d15e4c75 /krl.c | |
| parent | da8af83d3f7ec00099963e455010e0ed1d7d0140 (diff) | |
upstream commit
fix KRL generation when multiple CAs are in use
We would generate an invalid KRL when revoking certs by serial
number for multiple CA keys due to a section being written out
twice.
Also extend the regress test to catch this case by having it
produce a multi-CA KRL.
Reported by peter AT pean.org
Diffstat (limited to 'krl.c')
| -rw-r--r-- | krl.c | 3 |
1 files changed, 2 insertions, 1 deletions
| @@ -14,7 +14,7 @@ | |||
| 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 15 | */ | 15 | */ |
| 16 | 16 | ||
| 17 | /* $OpenBSD: krl.c,v 1.17 2014/06/24 01:13:21 djm Exp $ */ | 17 | /* $OpenBSD: krl.c,v 1.18 2014/11/17 00:21:40 djm Exp $ */ |
| 18 | 18 | ||
| 19 | #include "includes.h" | 19 | #include "includes.h" |
| 20 | 20 | ||
| @@ -686,6 +686,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys, | |||
| 686 | 686 | ||
| 687 | /* Store sections for revoked certificates */ | 687 | /* Store sections for revoked certificates */ |
| 688 | TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { | 688 | TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { |
| 689 | buffer_clear(§); | ||
| 689 | if (revoked_certs_generate(rc, §) != 0) | 690 | if (revoked_certs_generate(rc, §) != 0) |
| 690 | goto out; | 691 | goto out; |
| 691 | buffer_put_char(buf, KRL_SECTION_CERTIFICATES); | 692 | buffer_put_char(buf, KRL_SECTION_CERTIFICATES); |